htaccess

Hi travelatelier,
After a quick look through all these links, I’m pretty sure it will be easier to check a list of the features that Wordfence can provide then you can decide which snippet from the links above you need to add to your website, because I can tell that most of these snippets are already included in Wordfence but you will not see these codes directly in .htaccess file because Wordfence loads a firewall protection layer just in front of your website where all the magic happens.

Please check “Wordfence Options, Features and Usage” page on our documentation website to learn more about Wordfence features, also I should mention that any codes added in .htaccess file by Wordfence will be wrapped by # Wordfence WAF and # END Wordfence WAF comment lines.

Let me know if you have any question about any of Wordfence features,
Thanks.

So, would you mind if I copy here what I implemented and get your recommendation for the ones to keep?

No problem, please use pastebin to paste the content of your .htaccess file and share the link here in a reply.

Thanks.

Hi Wfalaa,

Thank you very much for your response. This did not really worked for me.

Either I did this by changing things in htaccess or after the last update it happened, I don’t know, but here is the error log while WP Rocket is pre-loading the cache. These errors stop when I deactivate Wordfence. Depending on the number of pages, these errors can show either 5 times or 250.

https://www.domain.com [warn] [pid number] fcgid_bridge.c(number): (32)Broken pipe: [client ip number] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function
https://www.domain.com [warn] [pid number] fcgid_bridge.c(number): (32)Broken pipe: [client ip number] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function
It also sometimes say connection reset by peer
Auto index is another issue with an error message: No matching DirectoryIndex (index.html,index.shtml,index.cgi,index.php,index.php3,index.phtml,index.htm,home.html,welcome.html) found, and server-generated directory index forbidden by Options directive

Here are the manual ones I added:

# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>

# Deny access to all .htaccess files
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domain.com/$1 [R,L]

# Fix Index Issue
IndexIgnore *

# Disable directory browsing
Options -Indexes

## Protect from spam bots ##
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.domain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^https://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

# libwww block
RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
RewriteRule ^(.*)$ – [F,L]
# END libwww block

# disable hotlinking of images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
# END disable hotlinking

## Restrict WordPress Login Pages to Your Own IPs ##
<Files wp-login.php>
order deny,allow
deny from all
allow from 192.168.1.1
allow from 192.168.1.2
</Files>
<Files login>
order deny,allow
deny from all
allow from 192.168.1.1
allow from 192.168.1.1
</Files>

Regarding the fcgid warnings, it’s something related to fcgid parameters, please check this similar issue, most probably you will need to contact your web host regarding this one.

For the auto index issue, I can see you have these two snippets in .htaccess file:

# Fix Index Issue
IndexIgnore *

# Disable directory browsing
Options -Indexes

This is not correct, you can’t have both snippets together, please check the difference between them following this link, I recommend removing IndexIgnore *.

After checking your .htaccess file content, I recommend the following:
– Check (Wordfence > Options => Rate Limiting Rules) in case you are seeking for options allowing you to control the crawlers/bots behavior.
– From (Wordfence > Advanced Blocking) you can block certain User-Agent from accessing your website, “libwww” for example.
– Check (Wordfence > Options => Login Security Options) to control the wp-login access in several ways.

And you can keep the rest, no problem.

BTW, in the last snippet you added “## Restrict WordPress Login Pages to Your Own IPs ##”, I can see you whitelisted 192.168.1.1 and 192.168.1.2, these can not be your public IPs, these are part of the private network IPs which Wordfence whitelists by default, use this tool to get your public IP.

Thanks.

Thank you so much again Wfalaa.

I also see 404 errors for the following urls: What would be the proper way to ban those immediately?

?/license.php
/administrator
/admin?/content?/sitetree
?/panel
?/bitrix?/admin
?/manager
?/admin.php
?/user
/register/user
/git/

and many more.. Is there a safe list I can use for “Immediately block these IPs accessing non existing urls”

Then you should check (Wordfence > Options => Other Options => Immediately block IPs that access these URLs).

Also you can block/throttle a crawler or human accessing “404 page not found” from (Wordfence > Options => Rate Limiting Rules => If a crawler’s pages not found (404s) exceed, If a human’s pages not found (404s) exceed).

Thanks.

thank you so much again.
My question was rather about adding the right wildcards for these bots that are also searching files in /wp-content/plugins/theme-etc/bla bla